puppet/services/swift-proxy.yaml

   1 heat_template_version: pike
   2
   3 description: >
   4   OpenStack Swift Proxy service configured with Puppet
   5
   6 parameters:
   7   ServiceNetMap:
   8     default: {}
   9     description: Mapping of service_name -> network name. Typically set
  10                  via parameter_defaults in the resource registry.  This
  11                  mapping overrides those in ServiceNetMapDefaults.
  12     type: json
  13   DefaultPasswords:
  14     default: {}
  15     type: json
  16   RoleName:
  17     default: ''
  18     description: Role name on which the service is applied
  19     type: string
  20   RoleParameters:
  21     default: {}
  22     description: Parameters specific to the role
  23     type: json
  24   EndpointMap:
  25     default: {}
  26     description: Mapping of service endpoint -> protocol. Typically set
  27                  via parameter_defaults in the resource registry.
  28     type: json
  29   Debug:
  30     default: ''
  31     description: Set to True to enable debugging on all services.
  32     type: string
  33   SwiftPassword:
  34     description: The password for the swift service account, used by the swift proxy services.
  35     type: string
  36     hidden: true
  37   SwiftProxyNodeTimeout:
  38     default: 60
  39     description: Timeout for requests going from swift-proxy to swift a/c/o services.
  40     type: number
  41   SwiftWorkers:
  42     default: auto
  43     description: Number of workers for Swift service.
  44     type: string
  45   KeystoneRegion:
  46     type: string
  47     default: 'regionOne'
  48     description: Keystone region for endpoint
  49   MonitoringSubscriptionSwiftProxy:
  50     default: 'overcloud-swift-proxy'
  51     type: string
  52   RabbitPassword:
  53     description: The password for RabbitMQ
  54     type: string
  55     hidden: true
  56   RabbitUserName:
  57     default: guest
  58     description: The username for RabbitMQ
  59     type: string
  60   SwiftCeilometerPipelineEnabled:
  61     description: Set to False to disable the swift proxy ceilometer pipeline.
  62     default: True
  63     type: boolean
  64   RabbitClientPort:
  65     default: 5672
  66     description: Set rabbit subscriber port, change this if using SSL
  67     type: number
  68   RabbitClientUseSSL:
  69     default: false
  70     description: >
  71         Rabbit client subscriber parameter to specify
  72         an SSL connection to the RabbitMQ host.
  73     type: string
  74   EnableInternalTLS:
  75     type: boolean
  76     default: false
  77
  78 conditions:
  79
  80   ceilometer_pipeline_enabled: {equals : [{get_param: SwiftCeilometerPipelineEnabled}, True]}
  81   use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
  82
  83 resources:
  84   SwiftBase:
  85     type: ./swift-base.yaml
  86     properties:
  87       ServiceNetMap: {get_param: ServiceNetMap}
  88       DefaultPasswords: {get_param: DefaultPasswords}
  89       EndpointMap: {get_param: EndpointMap}
  90       RoleName: {get_param: RoleName}
  91       RoleParameters: {get_param: RoleParameters}
  92
  93   TLSProxyBase:
  94     type: OS::TripleO::Services::TLSProxyBase
  95     properties:
  96       ServiceNetMap: {get_param: ServiceNetMap}
  97       DefaultPasswords: {get_param: DefaultPasswords}
  98       EndpointMap: {get_param: EndpointMap}
  99       EnableInternalTLS: {get_param: EnableInternalTLS}
 100
 101 outputs:
 102   role_data:
 103     description: Role data for the Swift proxy service.
 104     value:
 105       service_name: swift_proxy
 106       monitoring_subscription: {get_param: MonitoringSubscriptionSwiftProxy}
 107       config_settings:
 108         map_merge:
 109           - get_attr: [SwiftBase, role_data, config_settings]
 110           - get_attr: [TLSProxyBase, role_data, config_settings]
 111           - swift::proxy::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
 112             swift::proxy::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
 113             swift::proxy::authtoken::password: {get_param: SwiftPassword}
 114             swift::proxy::authtoken::project_name: 'service'
 115             swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout}
 116             swift::proxy::workers: {get_param: SwiftWorkers}
 117             swift::proxy::ceilometer::rabbit_user: {get_param: RabbitUserName}
 118             swift::proxy::ceilometer::rabbit_password: {get_param: RabbitPassword}
 119             swift::proxy::staticweb::url_base: {get_param: [EndpointMap, SwiftPublic, uri_no_suffix]}
 120             swift::proxy::ceilometer::nonblocking_notify: true
 121             tripleo::profile::base::swift::proxy::rabbit_port: {get_param: RabbitClientPort}
 122             tripleo::profile::base::swift::proxy::ceilometer_messaging_use_ssl: {get_param: RabbitClientUseSSL}
 123             tripleo::profile::base::swift::proxy::ceilometer_enabled: {get_param: SwiftCeilometerPipelineEnabled}
 124             tripleo.swift_proxy.firewall_rules:
 125               '122 swift proxy':
 126                 dport:
 127                   - 8080
 128                   - 13808
 129             swift::proxy::keystone::operator_roles:
 130               - admin
 131               - swiftoperator
 132               - ResellerAdmin
 133             swift::proxy::versioned_writes::allow_versioned_writes: true
 134             swift::proxy::pipeline:
 135               yaql:
 136                 expression: $.data.pipeline.where($ != '')
 137                 data:
 138                   pipeline:
 139                   - 'catch_errors'
 140                   - 'healthcheck'
 141                   - 'proxy-logging'
 142                   - 'cache'
 143                   - 'ratelimit'
 144                   - 'bulk'
 145                   - 'tempurl'
 146                   - 'formpost'
 147                   - 'authtoken'
 148                   - 'keystone'
 149                   - 'staticweb'
 150                   - 'copy'
 151                   - 'container_quotas'
 152                   - 'account_quotas'
 153                   - 'slo'
 154                   - 'dlo'
 155                   - 'versioned_writes'
 156                   -
 157                     if:
 158                     - ceilometer_pipeline_enabled
 159                     - 'ceilometer'
 160                     - ''
 161                   - 'proxy-logging'
 162                   - 'proxy-server'
 163             swift::proxy::ceilometer::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
 164             swift::proxy::account_autocreate: true
 165             # NOTE: bind IP is found in Heat replacing the network name with the
 166             # local node IP for the given network; replacement examples
 167             # (eg. for internal_api):
 168             # internal_api -> IP
 169             # internal_api_uri -> [IP]
 170             # internal_api_subnet - > IP/CIDR
 171             tripleo::profile::base::swift::proxy::tls_proxy_bind_ip:
 172               get_param: [ServiceNetMap, SwiftProxyNetwork]
 173             tripleo::profile::base::swift::proxy::tls_proxy_fqdn:
 174               str_replace:
 175                 template:
 176                   "%{hiera('fqdn_$NETWORK')}"
 177                 params:
 178                   $NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
 179             tripleo::profile::base::swift::proxy::tls_proxy_port:
 180               get_param: [EndpointMap, SwiftInternal, port]
 181             swift::proxy::port: {get_param: [EndpointMap, SwiftInternal, port]}
 182             swift::proxy::proxy_local_net_ip:
 183               if:
 184               - use_tls_proxy
 185               - 'localhost'
 186               - {get_param: [ServiceNetMap, SwiftProxyNetwork]}
 187       step_config: |
 188         include ::tripleo::profile::base::swift::proxy
 189       service_config_settings:
 190         keystone:
 191           swift::keystone::auth::public_url: {get_param: [EndpointMap, SwiftPublic, uri]}
 192           swift::keystone::auth::internal_url: {get_param: [EndpointMap, SwiftInternal, uri]}
 193           swift::keystone::auth::admin_url: {get_param: [EndpointMap, SwiftAdmin, uri]}
 194           swift::keystone::auth::public_url_s3: {get_param: [EndpointMap, SwiftS3Public, uri]}
 195           swift::keystone::auth::internal_url_s3: {get_param: [EndpointMap, SwiftS3Internal, uri]}
 196           swift::keystone::auth::admin_url_s3: {get_param: [EndpointMap, SwiftS3Admin, uri]}
 197           swift::keystone::auth::password: {get_param: SwiftPassword}
 198           swift::keystone::auth::region: {get_param: KeystoneRegion}
 199           swift::keystone::auth::tenant: 'service'
 200           swift::keystone::auth::configure_s3_endpoint: false
 201           swift::keystone::auth::operator_roles:
 202             - admin
 203             - swiftoperator
 204             - ResellerAdmin
 205       upgrade_tasks:
 206         - name: Stop swift_proxy service
 207           tags: step1
 208           service: name=openstack-swift-proxy state=stopped
 209       metadata_settings:
 210         get_attr: [TLSProxyBase, role_data, metadata_settings]